chore: static sig metadata declaration

Compared to the previous method of defining metadata, using static signature metadata declaration has been shown to improve performance by approximately 20% to 30%, according to benchmark results.
aquasecurity · Aug 7, 2024 · 4a5dbbb · 4a5dbbb
1 parent 5a82fd0
commit 4a5dbbb
Show file tree

Hide file tree

Showing 31 changed files with 524 additions and 462 deletions.
diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -14,28 +14,30 @@ type AntiDebuggingPtraceme struct {
 	ptraceTraceMe string
 }
 
+var antiDebuggingPtracemeMetada = detect.SignatureMetadata{
+	ID:          "TRC-102",
+	Version:     "1",
+	Name:        "Anti-Debugging detected",
+	EventName:   "anti_debugging",
+	Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
+	Properties: map[string]interface{}{
+		"Severity":             1,
+		"Category":             "defense-evasion",
+		"Technique":            "Debugger Evasion",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+		"external_id":          "T1622",
+	},
+}
+
 func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.ptraceTraceMe = "PTRACE_TRACEME"
 	return nil
 }
 
 func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-102",
-		Version:     "1",
-		Name:        "Anti-Debugging detected",
-		EventName:   "anti_debugging",
-		Description: "A process used anti-debugging techniques to block a debugger. Malware use anti-debugging to stay invisible and inhibit analysis of their behavior.",
-		Properties: map[string]interface{}{
-			"Severity":             1,
-			"Category":             "defense-evasion",
-			"Technique":            "Debugger Evasion",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
-			"external_id":          "T1622",
-		},
-	}, nil
+	return antiDebuggingPtracemeMetada, nil
 }
 
 func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go
@@ -14,28 +14,30 @@ type AslrInspection struct {
 	aslrPath string
 }
 
+var aslrInspectionMetadata = detect.SignatureMetadata{
+	ID:          "TRC-109",
+	Version:     "1",
+	Name:        "ASLR inspection detected",
+	EventName:   "aslr_inspection",
+	Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",
+	Properties: map[string]interface{}{
+		"Severity":             0,
+		"Category":             "privilege-escalation",
+		"Technique":            "Exploitation for Privilege Escalation",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
+		"external_id":          "T1068",
+	},
+}
+
 func (sig *AslrInspection) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.aslrPath = "/proc/sys/kernel/randomize_va_space"
 	return nil
 }
 
 func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-109",
-		Version:     "1",
-		Name:        "ASLR inspection detected",
-		EventName:   "aslr_inspection",
-		Description: "The ASLR (address space layout randomization) configuration was inspected. ASLR is used by Linux to prevent memory vulnerabilities. An adversary may want to inspect and change the ASLR configuration in order to avoid detection.",
-		Properties: map[string]interface{}{
-			"Severity":             0,
-			"Category":             "privilege-escalation",
-			"Technique":            "Exploitation for Privilege Escalation",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
-			"external_id":          "T1068",
-		},
-	}, nil
+	return aslrInspectionMetadata, nil
 }
 
 func (sig *AslrInspection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/cgroup_notify_on_release_modification.go b/signatures/golang/cgroup_notify_on_release_modification.go
@@ -15,28 +15,30 @@ type CgroupNotifyOnReleaseModification struct {
 	notifyFileName string
 }
 
+var cgroupNotifyOnReleaseModificationMetadata = detect.SignatureMetadata{
+	ID:          "TRC-106",
+	Version:     "1",
+	Name:        "Cgroups notify_on_release file modification",
+	EventName:   "cgroup_notify_on_release",
+	Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
+	Properties: map[string]interface{}{
+		"Severity":             3,
+		"Category":             "privilege-escalation",
+		"Technique":            "Escape to Host",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+		"external_id":          "T1611",
+	},
+}
+
 func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.notifyFileName = "notify_on_release"
 	return nil
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-106",
-		Version:     "1",
-		Name:        "Cgroups notify_on_release file modification",
-		EventName:   "cgroup_notify_on_release",
-		Description: "An attempt to modify Cgroup notify_on_release file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
-		Properties: map[string]interface{}{
-			"Severity":             3,
-			"Category":             "privilege-escalation",
-			"Technique":            "Escape to Host",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
-			"external_id":          "T1611",
-		},
-	}, nil
+	return cgroupNotifyOnReleaseModificationMetadata, nil
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/cgroup_release_agent_modification.go b/signatures/golang/cgroup_release_agent_modification.go
@@ -15,28 +15,30 @@ type CgroupReleaseAgentModification struct {
 	releaseAgentName string
 }
 
+var cgroupReleaseAgentModificationMetadata = detect.SignatureMetadata{
+	ID:          "TRC-1010",
+	Version:     "1",
+	Name:        "Cgroups release agent file modification",
+	EventName:   "cgroup_release_agent",
+	Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
+	Properties: map[string]interface{}{
+		"Severity":             3,
+		"Category":             "privilege-escalation",
+		"Technique":            "Escape to Host",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+		"external_id":          "T1611",
+	},
+}
+
 func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.releaseAgentName = "release_agent"
 	return nil
 }
 
 func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-1010",
-		Version:     "1",
-		Name:        "Cgroups release agent file modification",
-		EventName:   "cgroup_release_agent",
-		Description: "An attempt to modify Cgroup release agent file was detected. Cgroups are a Linux kernel feature which limits the resource usage of a set of processes. Adversaries may use this feature for container escaping.",
-		Properties: map[string]interface{}{
-			"Severity":             3,
-			"Category":             "privilege-escalation",
-			"Technique":            "Escape to Host",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
-			"external_id":          "T1611",
-		},
-	}, nil
+	return cgroupReleaseAgentModificationMetadata, nil
 }
 
 func (sig *CgroupReleaseAgentModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/core_pattern_modification.go b/signatures/golang/core_pattern_modification.go
@@ -15,28 +15,30 @@ type CorePatternModification struct {
 	corePattern string
 }
 
+var corePatternModificationMetadata = detect.SignatureMetadata{
+	ID:          "TRC-1011",
+	Version:     "1",
+	Name:        "Core dumps configuration file modification detected",
+	EventName:   "core_pattern_modification",
+	Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.",
+	Properties: map[string]interface{}{
+		"Severity":             3,
+		"Category":             "privilege-escalation",
+		"Technique":            "Escape to Host",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+		"external_id":          "T1611",
+	},
+}
+
 func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.corePattern = "/proc/sys/kernel/core_pattern"
 	return nil
 }
 
 func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-1011",
-		Version:     "1",
-		Name:        "Core dumps configuration file modification detected",
-		EventName:   "core_pattern_modification",
-		Description: "Modification of the core dump configuration file (core_pattern) detected. Core dumps are usually written to disk when a program crashes. Certain modifications enable container escaping through the kernel core_pattern feature.",
-		Properties: map[string]interface{}{
-			"Severity":             3,
-			"Category":             "privilege-escalation",
-			"Technique":            "Escape to Host",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
-			"external_id":          "T1611",
-		},
-	}, nil
+	return corePatternModificationMetadata, nil
 }
 
 func (sig *CorePatternModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/default_loader_modification.go b/signatures/golang/default_loader_modification.go
@@ -16,6 +16,22 @@ type DefaultLoaderModification struct {
 	compiledRegex        *regexp.Regexp
 }
 
+var defaultLoaderModificationMetadata = detect.SignatureMetadata{
+	ID:          "TRC-1012",
+	Version:     "1",
+	Name:        "Default dynamic loader modification detected",
+	EventName:   "default_loader_mod",
+	Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
+	Properties: map[string]interface{}{
+		"Severity":             3,
+		"Category":             "defense-evasion",
+		"Technique":            "Hijack Execution Flow",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+		"external_id":          "T1574",
+	},
+}
+
 func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error {
 	var err error
 	sig.cb = ctx.Callback
@@ -25,21 +41,7 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-1012",
-		Version:     "1",
-		Name:        "Default dynamic loader modification detected",
-		EventName:   "default_loader_mod",
-		Description: "The default dynamic loader has been modified. The dynamic loader is an executable file loaded to process memory and run before the executable to load dynamic libraries to the process. An attacker might use this technique to hijack the execution context of each new process and bypass defenses.",
-		Properties: map[string]interface{}{
-			"Severity":             3,
-			"Category":             "defense-evasion",
-			"Technique":            "Hijack Execution Flow",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
-			"external_id":          "T1574",
-		},
-	}, nil
+	return defaultLoaderModificationMetadata, nil
 }
 
 func (sig *DefaultLoaderModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/disk_mount.go b/signatures/golang/disk_mount.go
@@ -15,28 +15,30 @@ type DiskMount struct {
 	devDir string
 }
 
+var diskMountMetadata = detect.SignatureMetadata{
+	ID:          "TRC-1014",
+	Version:     "1",
+	Name:        "Container device mount detected",
+	EventName:   "disk_mount",
+	Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.",
+	Properties: map[string]interface{}{
+		"Severity":             3,
+		"Category":             "privilege-escalation",
+		"Technique":            "Escape to Host",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
+		"external_id":          "T1611",
+	},
+}
+
 func (sig *DiskMount) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.devDir = "/dev/"
 	return nil
 }
 
 func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-1014",
-		Version:     "1",
-		Name:        "Container device mount detected",
-		EventName:   "disk_mount",
-		Description: "Container device filesystem mount detected. A mount of a host device filesystem can be exploited by adversaries to perform container escape.",
-		Properties: map[string]interface{}{
-			"Severity":             3,
-			"Category":             "privilege-escalation",
-			"Technique":            "Escape to Host",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--4a5b7ade-8bb5-4853-84ed-23f262002665",
-			"external_id":          "T1611",
-		},
-	}, nil
+	return diskMountMetadata, nil
 }
 
 func (sig *DiskMount) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

diff --git a/signatures/golang/docker_abuse.go b/signatures/golang/docker_abuse.go
@@ -15,28 +15,30 @@ type DockerAbuse struct {
 	dockerSock string
 }
 
+var dockerAbuseMetadata = detect.SignatureMetadata{
+	ID:          "TRC-1019",
+	Version:     "1",
+	Name:        "Docker socket abuse detected",
+	EventName:   "docker_abuse",
+	Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.",
+	Properties: map[string]interface{}{
+		"Severity":             2,
+		"Category":             "privilege-escalation",
+		"Technique":            "Exploitation for Privilege Escalation",
+		"Kubernetes_Technique": "",
+		"id":                   "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
+		"external_id":          "T1068",
+	},
+}
+
 func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error {
 	sig.cb = ctx.Callback
 	sig.dockerSock = "docker.sock"
 	return nil
 }
 
 func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) {
-	return detect.SignatureMetadata{
-		ID:          "TRC-1019",
-		Version:     "1",
-		Name:        "Docker socket abuse detected",
-		EventName:   "docker_abuse",
-		Description: "An attempt to abuse the Docker UNIX socket inside a container was detected. docker.sock is the UNIX socket that Docker uses as the entry point to the Docker API. Adversaries may attempt to abuse this socket to compromise the system.",
-		Properties: map[string]interface{}{
-			"Severity":             2,
-			"Category":             "privilege-escalation",
-			"Technique":            "Exploitation for Privilege Escalation",
-			"Kubernetes_Technique": "",
-			"id":                   "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839",
-			"external_id":          "T1068",
-		},
-	}, nil
+	return dockerAbuseMetadata, nil
 }
 
 func (sig *DockerAbuse) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {